Securing smart grid and advanced metering infrastructure

The year is 2020, high economic, military and cultural tension between Russia & the US.

You are at the London office, entering a video meeting with the sales team in America, the American team presents with enthusiasm the sales achievement of the recent quarter, then, suddenly the call is disconnected. You are trying to re-establish the connection with no success.

You are receiving a WhatsApp message to your mobile: “we have an electricity outage in the office, we are leaving the conference room. We will reschedule”.

One hour later, reports are starting to pop up in the media announcing about an outage in dozens of countries in the US.

A few hours later, many Tweets from the news channel indicate that the US president is about to give a special announcement about the power outage in the US.

You turn on the television and the president begins to speech: “Today we are experiencing a national tragedy. Dozens of areas in the US have been cut off from power, in what appears to be a cyber-attack on our country.”

“I have spoken with the director of the FBI who confirmed that millions of meters have transformed into bricks”

“I have ordered a full resource of the federal government, go to help the victimizes and their family and to conduct full-scale investigation to hunt down and to find the people who committed this act”

Science fiction? Let us review some of the examples from the recent years.

Black hat as an incubator

The Black Hat conference is a meeting place for cyber-security activists around the world. On several occasions, it presented vulnerabilities and exploits on smart/electricity metering devices and network.

It began in 2008 when Cleveland presented how to send a disconnect message to millions of smart meters on the power grid.

A year later, P. McDaniel and S. McLaughlin demonstrated how to change the energy usage of the smart meter.

In 2014, researchers from universities in the United States and China introduced the “puppet attack” that increased the network traffic of smart meter by up to 20%, which could potentially lead to a denial of service attack.

From the cyber security conferences to a reality

During the recent years, there have been two cyber-attacks on power plants in the largest country in Europe – Ukraine, which for the first time in the history succeeded to disrupted and cut power in a country.

The cyber-attacks, which were a part of the Russia-Ukraine war, began in December 2015, when 230,000 people were left without electricity for one to six hours as attackers hit three electricity providers in Ukraine and demonstrated a variety of techniques, including spear phishing emails, variants of the “BlackEnergy” malware, and the manipulation of Microsoft Office documents that contained the malware to gain a foothold in the networks.

A year after, another cyber-attack hit the capital Kiev when citizens were disconnected from power for an hour due to a malware framework called “Industroyer” or “crashoverride”, specifically designed to attack electric grids, succeeded to shut down the Ukraine’s power plant.

Lesson Learned?

In addition to the two cases attributed to Russia, there was another case in June 2017 when the Chernobyl nuclear power plant was extinguished by damage caused by the Petya / No Petya malware, which affected rail stations, banks, and parliamentary activities.

Three conditions to materialize a cyber attack

An analysis of the events in Ukraine indicates that in order for a cyber-attack to materialize, three conditions must exist: opportunity, ability, and motivation.

Opportunity: every day hundreds and dozens of new security vulnerabilities are being discovered across different platforms – some of them are published and some of them not.

These vulnerabilities are a window of opportunity for potential attackers in transition to exploit.

Ability: in an age of HaaS (hacking as a service), hacktivism, organized crime and hackers groups that publish Nation’s cyber tools, the ability to execute a major cyber-attack has become easier, faster and smarter than ever.

Motivation: what causes the attacker to attack? various reasons. In continuous to the first chapter – it was an anonymous act that conducted to totally disrupt the US citizen normal life.

Hardware level attack example

This part of the article will focus on the advanced metering attack surface. The smart metering infrastructure consists of three main components:

Smart meter

Meters Hub,

Data management System.

These components are part of a heterogeneous, multi-vendor system and interfaces that communicate using standards for such as: IEC 62056.

Smart meters are usually installed in public places such as residential & business areas and their function is to identify and calculate the power consumption. The meters are connected to the data management system through hubs and enable the service provider to manage the meter remotely and provide additional innovative services to customers.

Schematically smart meter has 5 main components: 1. Main control unit 2. Identification and calculation unit 3. PLC communication unit 4. Radio communication unit 5. Optical management interface. Each of the components has an attack surface.

The next part of the article will focus on the attack surface of the control unit.

The main control unit orchestrates the main functions of the metering and includes microcontrollers, memory chips and firmware. The primary control unit is exposed to hardware and firmware attacks by an attacker who has physical access to the primary control unit and can install compatible malicious hardware to help steal the encryption keys or use an unprotected JTAG interface to extract data from the central control unit such as passwords.

An attacker can use an unprotected JTAG to run a malicious firmware that would allow an attacker to control information transmitted from the data management system and to support external interfaces such as a cellular modem to allow remote connection.

Firmware and hardware manipulation can also steal and change the electricity usage which has major implications, including customer privacy and provider’s cache flow (theft of electricity).

We should embrace cyber security initiatives as we embrace innovation and new technologies, the evolution of techniques and technologies used by attackers is a wakeup call to the regulator, leading power companies, and vendors to add cyber defense as safety, reliability and productivity in order to minimize the ability and opportunity of the cyber attack as an act of war.

About the author: About Adi Nae Gamliel

Adi is leading a CTO team that responsible for managing the secure enterprise architecture and secure business technologies for strategic customers, The team also manages the strategic technologies and operations of cybersecurity activities, including cloud security, software-defined security, microservices, IoT\OT security and more.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.